IETF Logo Mail Archive

Re: [Acme] orders, authorizations, and identifiers (oh my)

Daniel McCarney <cpu@letsencrypt.org> Tue, 16 July 2019 14:24 UTC

Return-Path: <dmccarney@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19F9F12008A for <acme@ietfa.amsl.com>; Tue, 16 Jul 2019 07:24:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9fFQhk-cTXSB for <acme@ietfa.amsl.com>; Tue, 16 Jul 2019 07:24:16 -0700 (PDT)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2558C120086 for <acme@ietf.org>; Tue, 16 Jul 2019 07:24:16 -0700 (PDT)
Received: by mail-wr1-x434.google.com with SMTP id y4so21203827wrm.2 for <acme@ietf.org>; Tue, 16 Jul 2019 07:24:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=qXqu2L5eWdFIWKB1pU0/Y5PG8LPijv/GMcGyUfBaGU4=; b=Hwz+kFz5JNmukRIm8P/+0F6ybbTmUITrGZwNjQpJcIlXvwgboU46shRHqzDgUVlRCB iFxfOBH1be/WYbfY0cFv7jw09jxfGuF+6O/XcwkIwLSma/kRWzofadF+CmHgRUunaTgK 0++mT3KXZ45wkg7R+5x506JM8ZA0t6Y2HYqXI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=qXqu2L5eWdFIWKB1pU0/Y5PG8LPijv/GMcGyUfBaGU4=; b=F7+8nRGcMmpPv3aqkHJH3PSTFlKwYIs03bnrSZxlG/jHrm2q3m9cNaiS6ajsOXpWEb fQJ+eieJalDeAIDz2cpo6tu7B4Qu54DG+N+Y01cjThDs8Ttavm1IdsdBXzpGhWZzdMaX AV5BeTghU1qpKOabFiCSwIQqtWZYDFMP8WcVf6UarheO/AIbwgh2WKsnyjB103sKKzoC lhxAPxGcU85mlBHresLkI9jwCeoyxheF0uAmiYCJiBQjWAFHm8xXUzQaAMw41LXm+Sl5 BkGmCXlnrq6Q+6kt0BN+UBaSrAC1fnC5jEzLb88Yp5c8bJfdIt6ODG1u+fE1zzsYGg2S N89g==
X-Gm-Message-State: APjAAAULNqoUtuSHvBQc9wDREYgrgAgva1C6AonSKCloUnZCZ6G1+E7c Syxv5ZrH1CzzhuakhQrL4q1PTb5L9Rd8x43CtO08U2upP+Q=
X-Google-Smtp-Source: APXvYqyMw8hCkqSOU4X1yEQVJOZrfio7vlZfLtLpcuHLOtFR7cEo4xSdsiU1t5BdSv8iOSoWIXP3j83Qh431PtKVIdc=
X-Received: by 2002:adf:e442:: with SMTP id t2mr30709671wrm.286.1563287054612; Tue, 16 Jul 2019 07:24:14 -0700 (PDT)
MIME-Version: 1.0
References: <21BBD7F5-8D80-4ACC-B51F-B362A39A5A93@felipegasper.com> <CAKnbcLiQ5+byqfTtf8WA7QPYLufc6TFb97dAFH0Tdc5XzJusZQ@mail.gmail.com> <BAF155C7-90CF-4FE5-BE24-35BD9FDFA900@felipegasper.com>
In-Reply-To: <BAF155C7-90CF-4FE5-BE24-35BD9FDFA900@felipegasper.com>
Reply-To: cpu@letsencrypt.org
From: Daniel McCarney <cpu@letsencrypt.org>
Date: Tue, 16 Jul 2019 10:24:03 -0400
Message-ID: <CAKnbcLjF_6x4nkht4CzJBomMwzVXkTQz1p5b=ioaVcT+PnumbQ@mail.gmail.com>
To: Felipe Gasper <felipe@felipegasper.com>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000092a4f5058dcd21ce"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/XizMV4mYNWoIg3vd21RR_-RuAZY>
Subject: Re: [Acme] orders, authorizations, and identifiers (oh my)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 14:24:18 -0000

>
> So if we tell the human operator, “Jane & Pat gave the OK, but Fred said
> not”, then it’s left to server policy to determine whether that means a
> hypothetical order with just one or the other domain would pass all authzs?


No, if the server returned three authorizations all three must be
status=valid for the order to be ready for issuance. Earlier drafts had a
notion of challenge combinations that would allow something sort of similar
but it was dropped.

Per 7.1.6:

Order objects are created in the "pending" state. Once all of the
> authorizations listed in the order object are in the "valid" state, the
> order transitions to the "ready" state.


The server policy is exercised by the choice of authorizations/challenges
in the pending order, not by the client deciding which authorizations in an
order to satisfy.

On Tue, Jul 16, 2019 at 10:11 AM Felipe Gasper <felipe@felipegasper.com>
wrote:

>
> > On Jul 16, 2019, at 9:28 AM, Daniel McCarney <cpu@letsencrypt.org>
> wrote:
> >
> > So it would be reasonable for this order to contain a single authz … and
> would that authz’s identifier be just “example.com”, then? Thus that
> authz object would not reference “www”, even though it is that domain’s
> corresponding authz object? Or would a client be accountable for
> implementing a “best-match authz” lookup to determine which authz
> corresponds to a given domain?
> >
> > Yes, I would expect the order's one authorization to have the identifier
> "example.com".
> >
> > I believe the confusion here is when you say "even though it is that
> domain's corresponding authz object" and "Since the order requires
> successful authz for both domains".
> >
> > For the first part, as I understand there is no guaranteed
> correspondence between any of the identifiers in the order request and the
> identifiers in the returned authorizations. That's what the sentence you
> quoted on p26 is meant to convey. The client shouldn't attempt to match
> authz's to requested identifiers at all, it should just look at the
> identifiers in the authorizations returned by the server and prove control
> of those identifiers with the challenges available.
>
> Thank your for your response. I think I see what’s going on.
>
> To flesh out a hypothetical a bit more:
>
> order identifiers: example.com, www.example.com
>
> authzs:
>   0)
>     - identifier: { type: person, value: Fred }
>     - challenge: ask if it’s ok
>   1)
>     - identifier: { type: person, value: Jane }
>     - challenge: ask if it’s ok
>   2)
>     - identifier: { type: person, value: Pat }
>     - challenge: ask if it’s ok
>
> So if we tell the human operator, “Jane & Pat gave the OK, but Fred said
> not”, then it’s left to server policy to determine whether that means a
> hypothetical order with just one or the other domain would pass all authzs?
>
> -F

v2.23.0 | Report a Bug | By Email